## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Updates humans.txt to include my name.
## What is the current behavior?
N/A
## What is the new behavior?
N/A
## Additional context
N/A
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added new team member to the contributor list.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Instructed granting least-privilege table permissions for anon,
authenticated, and service roles prior to enabling Row Level Security
across multiple guides and quickstarts.
* Clarified SQL examples and inline comments, added explicit GRANT steps
and RLS SELECT policies, rephrased policy guidance, and adjusted example
ordering and section numbering for clearer setup and testing.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Updates the Auth Signing Keys and JWTs pages to align on the new keys
while still leaving the relevant information about the legacy keys until
post-deprecation.
Co-authored-by: Chris Chinchilla <chris.ward@supabase.io>
Updates the marketplace DB query to use the new `publish_dashboard`
column that was added in https://github.com/supabase/marketplace/pull/49
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated internal marketplace integration query and database type
definitions to streamline listing management logic.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Add `SUPABASE_JWKS` to the default secrets list, noting it matches the
public JWKS endpoint
- Update the example in "Accessing environment variables" to use
`SUPABASE_PUBLISHABLE_KEYS` / `SUPABASE_SECRET_KEYS` (matches the
pattern in `functions/auth.mdx`)
- Add an inline note that `'default'` can be swapped for another key
name
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Documentation**
* Updated Edge Functions secrets guide with improved code examples.
* Introduced `SUPABASE_JWKS` environment variable for JWT verification.
* Enhanced examples demonstrating environment variable configuration and
Supabase client initialization.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What kind of change does this PR introduce?
Cleanup.
## What is the current behavior?
Temporary access still has a couple of leftover JIT fallback messages
and an unnecessary local unavailable-reason type after the Platform
response types were split into `JitAccessResponse` and
`JitStateResponse`.
## What is the new behavior?
Studio relies on the generated `JitStateResponse` discriminated union
for the toggle warning and uses temporary access copy consistently in
the remaining fallback toasts.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Improvements**
* Refined error messaging for temporary database access grant and revoke
operations.
* Enhanced condition detection for toggle failure warnings in database
access configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<img width="2652" height="830" alt="image"
src="https://github.com/user-attachments/assets/3c3921e7-c255-4e59-a9c3-c5f97da87788"
/>
Adds a full screen alert behind a feature flag `projectNeedsSecuring`
that prompts for fixing RLS issues.
Adjusts a few other small styles to add more prominence to critical
advisor issues.
To test:
- Enable the flag
- Make sure you have a table with RLS disabled
- Open project home and note the fade in of full page review
- Click "copy prompt" or "fix" and note the prompt
- Click skip to home and refresh the page, note it doesn't appear
anymore
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Project-level security gate on project home with AI assistant prompts,
table details, per-project dismissible notice, and a new telemetry event
for CTA interactions.
* **Improvements**
* Stronger visual treatment for critical advisor items and advisor CTA
when critical issues exist.
* Assistant dropdown supports a copy-prompt callback; added
local-storage key and utilities/types to support project security
workflows.
* **Tests**
* Added tests covering gate behavior, navigation, and dismissal logic.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
The Realtime policies editor was showing a warning banner on
`realtime.messages` saying the schema isn't exposed through PostgREST.
This is incorrect — the `realtime` schema is intentionally excluded from
PostgREST (it's in `INTERNAL_SCHEMAS` and filtered out of the exposed
schema picker), so the warning is always false in this context.
**Changed:**
- Removed `useProjectPostgrestConfigQuery` from `RealtimePolicies` — it
was only used to derive `exposedSchemas`
- Hardcode `exposedSchemas` as `['realtime']` since this editor is for
Realtime auth, not PostgREST access
## To test
- Go to the Realtime policies editor (`/project/_/realtime/policies`)
- Confirm the yellow "schema not exposed" warning banner no longer
appears on `realtime.messages`
- Confirm policy rows still render correctly and other admonitions (e.g.
publicly-readable if RLS is off) still show as expected
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved stability of Realtime Policies schema handling by simplifying
configuration logic to consistently use the realtime schema.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
## Summary
Wires up database advisor rule `0012_auth_allow_anonymous_sign_ins` in
the Studio Linter so it shows up with the right title, icon, action
link, and docs link instead of falling back to a generic display.
The rule entry navigates to `/auth/providers` (where the "Allow
anonymous sign-ins" toggle lives), modeled after rule 0019
(`auth_otp_long_expiry`) which uses the same target.
## Test plan
- [x] Trigger rule 0012 on a test project (enable anonymous sign-ins on
a project with RLS-protected tables)
- [x] Verify the lint appears in Security Advisor with title "Anonymous
Sign-Ins Allowed" and User icon
- [x] Verify the "View settings" CTA navigates to
`/project/<ref>/auth/providers`
- [x] Verify the "Learn more" link points to the 0012 docs section
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a new authentication lint rule that identifies anonymous sign-in
configuration issues and provides integrated guidance to the auth
providers settings page with relevant documentation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
Fixes
[FE-3095](https://linear.app/supabase/issue/FE-3095/compute-size-hover-card-shows-badge-and-cpumemory-from-out-of-sync).
The compute size hover card on the project home dashboard was sourcing
its badge and its CPU/memory rows from two different cached responses,
which can disagree:
| Field shown | Previous source |
|---|---|
| Badge ("XLARGE") | `project.infra_compute_size` (project-detail query)
|
| Cores / memory | `selected_addons[compute_instance].variant.meta`
(project-addons query) |
A customer reported seeing an **XLARGE** badge next to **2-core ARM
(Shared) / 1 GB** — the micro-tier specs — and asked whether their
upgrade had actually been applied. The upgrade was applied; only the
rendered card was contradictory.
## Fix
Source both the badge and the CPU/memory rows from the same logical
fact: look up the variant in `available_addons` whose identifier matches
`ci_${infra_compute_size}` and read its `meta`. `available_addons` is
essentially a static catalog of variant specs, so once it's loaded the
card cannot show specs that disagree with the badge.
This also collapses the special-cased `INSTANCE_MICRO_SPECS` fallback
into the existing `getAvailableComputeOptions` helper (which already
provides micro/nano fallbacks). The nano UX text ("Shared / Up to 0.5
GB") is preserved by switching that JSX branch to key on `computeSize
=== 'nano'`.
## Out of scope
- `useProjectAddonUpdateMutation` does not invalidate
`projectKeys.detail`. That's hygiene worth doing later, but
project-detail has a 30s `staleTime` and the resize already drives 5s
polling via the `RESIZING` status path, so the badge refreshes naturally
and this fix doesn't depend on it.
## Test plan
- [ ] Hover the compute badge on a project at each compute size (nano,
micro, small, ..., 16xlarge) and confirm CPU and memory rows match the
badge.
- [ ] Resize a project from micro → large; on completion, confirm the
hover card shows large specs (no transient micro values).
- [ ] Open the dashboard for a free-tier project on micro that has no
`compute_instance` entry in `selected_addons` and confirm the card still
shows micro specs (i.e. `getAvailableComputeOptions` micro fallback is
engaged).
- [ ] Confirm the "Unlock more compute" CTA still appears for
non-highest sizes and disappears at the highest size.
## Context
As per PR title - will make the RLS tester available for CLI / self-host
(still as a feature preview)
## To test
- [x] Verify briefly locally that the RLS tester is available for use,
and works as expected
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved user search error handling to display appropriate failure
messages when search encounters issues.
* **Refactor**
* Simplified RLS Tester feature availability logic by consolidating
enablement checks across components and removing redundant feature flag
dependencies.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Docs update
## What is the current behavior?
Current docs are wrong and yield `ERROR: parameter "pg_net.ttl" cannot
be changed now`
## What is the new behavior?
Additional permissions required, setting should be at the system level
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated pg_net setup guidance to require system-level configuration,
added note that changing pg_net parameters requires superuser privileges
(with grant example), and clarified applying parameter changes via
system-level set followed by restarting the pg_net background worker.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Feature — a second batch of table editor shortcuts, stacked on top of
#45178.
## What is the current behavior?
Inserts / filters / sort / refresh are all mouse-only. No keyboard
access, and no affordance for discovering what keybinds might exist.
## What is the new behavior?
### New shortcuts
| Keybind | Action | Surface |
|---|---|---|
| `I` then `R` | Insert row | hotkey + Cmd+K + inline keybind in Insert
dropdown |
| `I` then `C` | Insert column | hotkey + Cmd+K + inline keybind in
Insert dropdown |
| `I` then `U` | Import data from CSV | hotkey + Cmd+K + inline keybind
in Insert dropdown |
| `Shift+F` | Focus filters | hotkey + Cmd+K — focuses the new filter
bar's freeform input |
| `F` then `C` | Clear filters | hotkey + Cmd+K — gated on
`filters.length > 0` |
| `S` then `C` | Clear sort | hotkey + Cmd+K — gated on `sorts.length >
0` |
| `Shift+R` | Refresh table | hotkey + Cmd+K + hover tooltip on the
Refresh button |
All are `ignoreInputs: true` so they don't fire while typing. The insert
/ clear-filters / clear-sort shortcuts use two-step chords so they don't
clobber single-letter keys users might reach for elsewhere; Focus
filters and Refresh keep their Shift-prefixed single-step bindings.
### Infrastructure
- **New `<ShortcutBadge>`** (`components/ui/ShortcutBadge.tsx`) — inline
keybind display. Reads the sequence straight from the registry, so the
ID is the single source of truth. Renders multi-step chords with a
"then" separator between steps. Defaults to `variant="inline"` (the flat
`text-foreground/40` style used across the app in `RunButton`,
`ActionBar`, `OperationQueueSidePanel`, etc.) with `variant="pill"`
available if someone needs the boxed style.
- **Insert dropdown restyled** — each `DropdownMenuItem` in
`HeaderNew`'s Insert menu now shows its keybind inline on the right
(centered vertically, with `pr-4` + `shrink-0` so long table names in
the description never crowd the badge).
- **`RefreshButton`** swapped from `ButtonTooltip` to `<Shortcut>` so
the keybind tooltip renders automatically from the registry.
- **`FilterPopoverPrimitive` untouched** — the old filter bar is being
deleted, so Shift+F is scoped to the new filter bar only. The handler
focuses `[data-testid="filter-bar-freeform-input"]` (the existing
freeform input in the ui-patterns `FilterBar` → `FilterGroup`).
## Additional context
Stacked on #45178 (FE-3057 — initial table editor shortcuts). Rebase
after that one merges.
### Test plan
- [x] Open a table → Insert dropdown shows keybind to the right of each
item, no wrap encroachment even with long table names
- [x] `I` then `R` opens the Row editor; `I` then `C` opens the Column
editor; `I` then `U` opens the CSV import flow
- [x] `Shift+F` focuses the new filter bar's freeform input
- [x] Add a filter → `F` then `C` clears it; shortcut disabled in Cmd+K
when no filters are applied
- [x] Sort a column → `S` then `C` clears sort; shortcut disabled when
no sorts
- [x] `Shift+R` refreshes the table (spinner shows on the Refresh
button); hover the button → keybind tooltip
- [x] All seven new entries show up in Cmd+K when their gates are
satisfied
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added keyboard shortcuts for table actions: insert row, insert column,
import CSV, refresh, focus filters, clear filters, and clear sorts.
* Shortcuts are available in the command menu and show visual keyboard
hints.
* **UI**
* Menu entries now display shortcut badges.
* Refined dropdown spacing/layout and updated the refresh control to
surface its shortcut.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
Improve the "Errors since last deploy" panel on the new edge function
overview page.
- **Error column**: stop showing the function URL. Pull the actual error
from the related runtime logs, trim the stack trace to a one-line
summary, and use that for the cell text and tooltip.
- **Troubleshoot column**: rename "Assistant" to "Troubleshoot" and add
a "View troubleshooting guide" item to the dropdown that opens
`supabase.com/docs/guides/troubleshooting` prefilled with `edge function
<ErrorType> <statusCode>`.
- **Runtime log block**: restyle the expanded per-row log section.
Monospace rows with structured timestamp / level badge / count /
message, a divider between entries, and destructive tinting only on
error rows. The previous layout ran text together with no separation.
## Test plan
- [x] `pnpm test:studio` for `EdgeFunctionRecentErrors.utils.test.ts`
(10 passing, including new cases for `summarizeErrorMessage`,
`getDisplayErrorMessage`, and `buildTroubleshootingDocsUrl`)
- [x] `pnpm typecheck` clean
- [x] `eslint` clean for changed files
- [ ] Visual check of the panel: Error cell shows the runtime error
summary, Troubleshoot dropdown opens docs in a new tab, log rows render
with the new structure
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a "View troubleshooting guide" action that opens a
status-code-specific docs page for each recent error.
* Errors now show level badges and repetition counts in the logs for
clearer scanning.
* **Bug Fixes**
* Error text is summarized and normalized for concise, single-line
display with clearer per-line styling.
* **Tests**
* New tests validate error-summary, display-fallback, and
troubleshooting-URL behaviors.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Feature — a set of new keyboard shortcuts for the table editor, along
with infrastructure to register, gate, and surface them.
## What is the current behavior?
Clicking into the grid "traps" the keyboard: Escape doesn't pop out,
there are no shortcuts for row selection / deletion / navigation, and
the search-tables input grabs focus on page load.
## What is the new behavior?
### New shortcuts (all scoped to the table editor)
| Keybind | Action | Surface |
|---|---|---|
| `Esc` | Exit grid selection — clears the highlighted cell and drops
focus back to the page | hotkey |
| `↑` / `↓` | Start grid navigation from the first cell when no cell is
selected | hotkey |
| `Shift+Space` | Toggle selection on the current row | hotkey +
checkbox tooltip |
| `Mod+A` | Toggle selection on all displayed rows (matches Excel) |
hotkey + header-checkbox tooltip + Cmd+K |
| `Mod+Shift+A` | Toggle selection on all rows in the table | hotkey +
"Select all rows in table" button tooltip + Cmd+K |
| `Mod+Backspace` | Delete selected rows | hotkey + delete-button
tooltip + Cmd+K |
### Infrastructure
- **Split registry** — table-editor shortcuts moved to
`state/shortcuts/registry/table-editor.ts`, spread into `SHORTCUT_IDS`.
Makes it easy to scope a runtime check to a specific surface.
- **`eventMatchesAnyShortcut`** (`state/shortcuts/matchEvent.ts`) —
queries the hotkey library's live `SequenceManager` so gated shortcuts
(`enabled: false`) are correctly excluded. Covered by
`matchEvent.test.ts`.
- **`handleCellKeyDown`** now calls `event.preventGridDefault()`
whenever the keystroke matches an active table-editor shortcut, so rdg's
"start editing on key press" default doesn't compete with shortcut
actions (e.g. typing `Shift+X` no longer opens edit mode with `X` as
input).
- **`<Shortcut>` / `<ShortcutTooltip>`** used on the header checkbox,
the per-row checkbox, the "Select all rows in table" button, and the
delete button — keybinds show up on hover (Linear-style) so users can
discover them without reading docs.
- **CSS** — `.rdg:not(:focus-within) .rdg-cell[aria-selected='true']`
drops the selected-cell outline whenever focus leaves the grid,
reinforcing the "you're out" feedback after `Esc`.
- **`useShortcut`** wraps the Cmd+K-registered action to close the
command menu after firing (previously menu stayed open after selecting
an action).
- **Search-tables input** no longer auto-focuses on load, so arrow
shortcuts work immediately without clicking out first.
## Additional context
Linear: FE-3057
### Test plan
- [x] Open any table → `↓` selects the first cell; subsequent arrows
navigate rows
- [x] `Esc` drops focus out of the grid and re-enables `↓` to re-enter
- [x] Click a cell → `Shift+Space` toggles that row's selection
(checkbox)
- [x] `Mod+A` toggles all displayed rows
- [x] With pagination + some rows selected → `Mod+Shift+A` toggles
"Select all rows in table"
- [x] With rows selected → `Mod+Backspace` deletes them (existing
confirmation flow)
- [x] Hover the header checkbox / per-row checkbox / delete button →
keybind tooltip after ~500ms
- [x] Cmd+K with selection → the relevant action shows up; selecting it
closes the palette and runs
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added table editor keyboard shortcuts for navigation, row selection,
and cell actions, with command-menu integration and visible shortcut
tooltips.
* **Improvements**
* Better keyboard handling in grid cells allowing external shortcuts to
override default behavior.
* Select-all/deselect-all toggle and improved select-row UX;
selected-cell styling no longer shows when grid loses focus.
* Command menu now reliably closes before executing shortcut actions.
* Removed autofocus on the table editor search input for consistent
focus behavior.
* **Tests**
* Added unit tests covering shortcut matching and command-menu shortcut
behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
humans.txt update
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated team roster information.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: Ryan Senior <ryan@Ryans-MacBook-Pro.local>
Fixes two small duplicate-word typos in troubleshooting guides:
-
`apps/docs/content/troubleshooting/using-google-smtp-with-supabase-custom-smtp-ZZzU4Y.mdx`:
"easy to to figure out" → "easy to figure out"
-
`apps/docs/content/troubleshooting/why-is-my-service-role-key-client-getting-rls-errors-or-not-returning-data-7_1K9z.mdx`:
"for for service role" → "for service role"
Pure docs typo fix — no functional changes.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Documentation
* Corrected grammatical errors in troubleshooting guides for Google
Workspace SMTP configuration and service-role key errors.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes the same duplicate-word typo ("support support") in two quickstart
guides:
- `apps/docs/content/guides/auth/quickstarts/react.mdx`
- `apps/docs/content/guides/getting-started/tutorials/with-nextjs.mdx`
Both occurrences are in the "Customize email template" / "Email
template" sections:
> Before proceeding, change the email template to support ~~support~~ a
server-side authentication flow that sends a token hash:
Pure docs typo fix — no functional changes.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Corrected typographical errors in authentication guides to improve
clarity and readability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Adds a worked example for combining a vector similarity search with a
filter on another column from the JS client, and a short note explaining
how filtering interacts with HNSW indexes (including iterative index
scans introduced in `pgvector` 0.8.0). The new `match_documents` variant
takes a typed filter parameter so the planner can apply the predicate
during the index scan, and a jsonb `@>` variant covers the
metadata-column case. Cross-links between `semantic-search`,
`vector-columns`, and `vector-indexes/hnsw-indexes` so readers land on
the answer regardless of which page they start on.
Closessupabase/supabase-js#896
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Added guidance for filtering vector and semantic search results by
metadata, with JS client examples.
* Explained how filters affect vector (HNSW) queries and planner choice
between index and sequential scans.
* Clarified that selective filters can reduce returned matches and
documented pgvector 0.8.0 controls for iterative/index scan behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Jeremias Menichelli <jmenichelli@gmail.com>
Update humans.txt
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated team roster information
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
New blog post to announce the OSSCAR Index.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced the OSSCAR Index: a quarterly ranking of fastest-growing
open-source organizations measured by stars, contributors, and package
downloads.
* Added downloadable badges for ranked projects.
* **Documentation**
* Published the OSSCAR Index announcement with methodology, scoring
rules, Q1 2026 highlights, and links to full scoring details and
repository.
* Updated site RSS feed to include the new announcement.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
A little bit of tidy up here so the header area of unified logs isn't so
dominant. Moved actions to the same line as search bar and made other
parts a little more subtle, so the focus reamains on the logs
themselves.
| Before | After |
|--------|--------|
| <img width="980" height="213" alt="Screenshot 2026-04-27 at 11 47 37"
src="https://github.com/user-attachments/assets/ae22e7dd-272f-4433-a270-67b550a00536"
/> | <img width="893" height="153" alt="Screenshot 2026-04-27 at 12 27
17"
src="https://github.com/user-attachments/assets/87b8cfc9-66a4-4634-a3c6-c45e4b8fc486"
/> |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Keyboard shortcut to toggle filter visibility in logs.
* Consolidated top bar with refresh, view options, download, and live
controls—desktop and mobile optimized.
* **Style**
* More compact, organized header with tooltips showing live status and
shortcut hints.
* Reduced filter input typography and streamlined mobile filter trigger.
* **Other**
* Side panel sizing and logs area layout refined for clearer visuals and
consistent header/body styling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
Just merging the callouts - only show one at a time, instead of both
### Before
<img width="610" height="518" alt="image"
src="https://github.com/user-attachments/assets/58567f7e-99bf-4c84-8392-35573c646af6"
/>
### After
<img width="605" height="428" alt="image"
src="https://github.com/user-attachments/assets/975a5a30-2b36-4602-af8f-b79c2383f38b"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Enhanced RLS Tester to prevent conflicting policy status messages from
appearing simultaneously. The interface now properly displays only the
relevant message about policy configuration and evaluation status,
improving clarity when reviewing row-level security results.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR preps the monorepo for a migration to Tailwind v4:
- Bump all Tailwind dependencies and libraries to the latest possible
version, while still compatible with Tailwind 3.
- Cleans up obsolete Tailwind 3 specific options and configs.
- Cleans up unused CSS files and fixes the CSS imports.
- Migrates all `important` uses in `@apply` lines to using the `!`
prefix.
- Move `typography.css` to the `config` package and import it from the
apps.
- Migrated all occurrences of `flex-grow`, `flex-shrink`,
`overflow-clip` and `overflow-ellipsis` since they're deprecated and
will be removed in Tailwind 4.
- Make the default theme object typesafe in the `ui` package.
- Migrate all `bg-opacity`, `border-opacity`, `ring-opacity` and
`divider-opacity` to the new format where they're declared as part of
the property color.
- Bump and unify all imports of `postcss` dependency.
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
Bug fix. Resolves DEPR-511.
## What is the current behavior?
Paused projects in `Project Settings > General > Project availability`
still present restart/pause maintenance controls, but no resume
affordance. That makes the resume path hard to discover from Settings
and pushes users back to the project dashboard to find the correct
action.
The paused state also keeps showing a redundant disabled `Pause project`
row, and the pause confirmation uses a more flexible modal than this
flow needs.
DEPR-519 already covered the unhealthy-project restart guard, but not
this paused-project discoverability path.
## What is the new behavior?
Project Settings is now paused-project aware. It shows a shared `Resume
project` action when the project can still be restored, falls back to
the project dashboard when the restore window has expired or pause
status cannot be confirmed, and reuses the same resume flow, permission
checks, and free-tier guardrails as the paused dashboard.
While a project is already paused, the redundant `Pause project` row is
hidden so the section stays focused on the real next action. For active
projects, the pause row remains in place, including the useful disabled
tooltip states for plans that cannot pause.
The pause confirmation now uses `AlertDialog` with shorter, more
accurate copy about the restore window, and the restart controls now
behave more consistently on smaller breakpoints. The Project Settings
command-menu entry is also searchable via `resume project`.
| Before | After |
| --- | --- |
| <img width="1602" height="566" alt="CleanShot 2026-04-24 at 18 05
25@2x"
src="https://github.com/user-attachments/assets/bd8f4095-0360-443c-a179-185da69eb9e8"
/> | <img width="1538" height="408" alt="CleanShot 2026-04-24 at 18 06
12@2x"
src="https://github.com/user-attachments/assets/7ac26529-4b54-460e-89c3-927891d873d8"
/> |
| <img width="1524" height="524" alt="CleanShot 2026-04-24 at 18 08
53@2x"
src="https://github.com/user-attachments/assets/f3c49c46-b389-4324-b982-f557b159623e"
/> | <img width="1528" height="550" alt="CleanShot 2026-04-24 at 18 08
30@2x"
src="https://github.com/user-attachments/assets/4021e2bb-f22f-40db-be43-de6d0fb571b3"
/> |
| <img width="896" height="558" alt="CleanShot 2026-04-24 at 17 41
40@2x"
src="https://github.com/user-attachments/assets/31569aec-89a6-4984-8011-39d8b102c90f"
/> | <img width="912" height="502" alt="CleanShot 2026-04-24 at 18 10
34@2x"
src="https://github.com/user-attachments/assets/f19dcd27-12e6-4a2f-8eed-ca709e77dfa1"
/> |
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a tooltip-enabled "Resume project" button that handles
permissions, free-plan member gating, optional Postgres version
selection, and navigates to the project after restore.
* **UX**
* Pause confirmation migrated to an alert-style dialog with updated copy
and disabled controls during pausing.
* Restart controls updated for improved responsive layout and refreshed
button visuals.
* Project settings now show appropriate resume/dashboard actions based
on pause/restore eligibility.
* **Tests**
* Added tests for active, resumable-paused, and non-resumable-paused
states.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## Context
Adds a banner on the auth policies page for the new RLS tester feature
preview
<img width="307" height="310" alt="image"
src="https://github.com/user-attachments/assets/6864c2cb-c3b8-4c1f-8dce-57411425e17d"
/>
Also adds a Give feedback button in the RLS Tester sheet footer
<img width="616" height="73" alt="image"
src="https://github.com/user-attachments/assets/64755f56-4e27-4b54-92b2-a894badc0b88"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* RLS Tester preview banner added to the policies page with animated
content and a locally persisted dismissed state.
* Enabling the RLS Tester via the preview also dismisses and records the
banner dismissal.
* New feedback link added to the RLS Tester UI that opens in a new tab.
* **Layout/Providers**
* Banner stack context moved so banner state is available more broadly
across the app.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
prolly Introduced in:
- #45130 &
- Closes#45301
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Updated guides for Realtime Broadcast and Presence features with
simplified API key retrieval links. The revised documentation now
provides a more streamlined path to access the configuration dialog for
retrieving API credentials, enhancing clarity and reducing setup
friction for real-time functionality.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Why
Two auto-generated files have been tracked in git but the committed
copies are stale because every Vercel deploy overrides them in the build
artifact. Both have misled at least one investigation into thinking
production was out of date.
| File | Generator | Live (prod) | Committed (master) |
|---|---|---|---|
| `apps/www/public/sitemap_www.xml` | `pnpm postbuild` ->
`internals/generate-sitemap.mjs` | 704 URLs, `last-modified` matches
latest deploy | 604 URLs, last touched 2025-09-30 (`cb66b6b6`) |
| `apps/ui-library/public/llms.txt` | `pnpm build:llms` ->
`scripts/build-llms-txt.ts` (wired into `build`) | 57 entries, `Last
updated: 2026-04-27` | 56 entries, `Last updated: 2026-02-20` (last
touched 2026-03-17, `9bf981f3`) |
Production has been correct the whole time. The git copies just look
authoritative when they aren't, and they show up in audits and code
searches as if they were the live data.
The same gitignore pattern is already applied to
`apps/www/public/sitemap.xml` at `apps/www/.gitignore:29` — this PR
extends the pattern to two more files that should never have been
committed.
Discovered while investigating AI-bot crawl optimization for
`supabase.com/llms-full.txt`. An audit initially flagged "sitemap is
stale, missing 44 blog posts" — that turned out to be entirely about
reading the dead git file. Same kind of false signal would happen for
anyone inspecting the ui-library llms.txt locally.
## What changes
**`apps/www`:**
- Add `public/sitemap_www.xml` to `apps/www/.gitignore`.
- `git rm --cached apps/www/public/sitemap_www.xml`.
- Updated the gitignore comment to mention the regeneration path.
**`apps/ui-library`:**
- Add `public/llms.txt` to `apps/ui-library/.gitignore` (with a comment
pointing at the generator).
- `git rm --cached apps/ui-library/public/llms.txt`.
Both files remain on disk locally; their respective build steps
regenerate them as before.
## What does NOT change
- Production behavior for either file: postbuild / build:llms remain
authoritative.
- Generator code: `apps/www/internals/generate-sitemap.mjs` and
`apps/ui-library/scripts/build-llms-txt.ts` are untouched.
- robots.txt, sitemap index, docs sitemap: unchanged.
- `apps/learn/public/llms.txt`: left tracked. Its generator
(`apps/learn/scripts/build-llms-txt.ts`) is **not** wired into the
`build` script, so it's manually generated and committed — different
pattern, leave alone.
## Test plan
- [ ] After merge, trigger or wait for next prod deploy. Confirm
`https://supabase.com/sitemap_www.xml` still serves a fresh ~700-URL
response with current `last-modified` header.
- [ ] Confirm `https://supabase.com/ui/llms.txt` still serves a fresh
response with `Last updated:` matching the deploy date.
- [ ] Confirm `git ls-files apps/www/public/ apps/ui-library/public/` no
longer lists either file.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Improved handling of auto-generated sitemap files so they are no
longer tracked in the repo after builds.
* **Documentation**
* Removed the published auto-generated LLMs reference page from the UI
library to avoid shipping stale documentation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
Adds `/<page>.md` routes for 10 marketing/product pages (homepage, auth,
database, edge-functions, realtime, storage, vector, pricing,
modules/cron, modules/queues) so AI agents can fetch clean markdown
instead of parsing JS-rendered HTML. Also advertises the markdown
alternate via `<link rel="alternate" type="text/markdown">` on marketing
and docs pages so agents can discover it.
Pricing is generated dynamically via `generatePricingContent()` (single
source of truth with `/llms.txt` and `/llms-full.txt`); the other nine
slugs are bundled at build time from `content/md/*.md` into a
`MD_CONTENT` map.
Supersedes #44891 (rebased fresh off current master to avoid a 9-commit
replay over rename/rename conflicts created by #44897).
## Changes
- New `/api-v2/md/[...slug]` route handler returns the bundled markdown
(or dynamic pricing) with `Content-Type: text/markdown`,
`X-Content-Type-Options: nosniff`, and appropriate cache headers
- Middleware rewrites `/<slug>.md` and `Accept: text/markdown` to the
API route for the `MD_PAGES` allowlist; trailing-slash variants
(`/auth/`) are normalized so they resolve the same as `/auth`
- Build-time codegen `scripts/generateMdContent.mjs` scans `content/md/`
and emits `app/api-v2/md/content.generated.ts` exporting both
`MD_CONTENT` (Map) and `MD_PAGES` (Set, incl. dynamic `pricing`). Fails
the build on slug collision between `content/md/` and `DYNAMIC_SLUGS`.
Adding a new marketing `.md` is just dropping a file in `content/md/`
(also update `PRODUCT_OVERVIEW_LINKS` in `/llms.txt` since that list is
editorial).
- 8 permanent redirects `/llms/<product>.txt` → `/<product>.md` so
legacy URLs in caches and downstream `llms.txt` copies keep working
- `/llms.txt` product overview now references `.md` URLs (incl.
`modules/cron`, `modules/queues`); `/llms-full.txt` iterates
`MD_CONTENT.values()` (homepage first, then alphabetical) and appends
dynamic pricing
- `/llms/[slug]` route slimmed to proxy SDK reference files (`js.txt`,
`dart.txt`, etc.) since redirects handle product slugs and pricing;
pricing branch retained as fallback in case redirects are bypassed
- `apps/www/pages/_app.tsx` injects the alternate link conditionally
based on `MD_PAGES`; `/pricing` (app router) sets it via page metadata
- `apps/docs/app/page.tsx` (the `/docs` root) sets the text/markdown
alternate to `/llms-full.txt`; per-guide pages override with their
specific `.md` URL via `genGuideMeta` in `GuidesMdx.utils.tsx`. Other
docs pages (reference, troubleshooting) inherit nothing.
- `apps/www/.vercelignore`: replaces the prior `*.md`/`README.md` rules
with `*.md` + `!content/md/**/*.md` so Edge Function READMEs and future
scratch `.md` files aren't silently shipped to the build artifact
- Drops `apps/www/data/llms/*.txt` and the related
`outputFileTracingIncludes`
- Test coverage for the new middleware branches: `.md` suffix rewrite
(allowlisted vs. fall-through), `Accept: text/markdown` content
negotiation, trailing-slash normalization
## Testing (Vercel preview)
Local dev server smoke tests passing on `:3771` after each iteration.
Re-verified on the preview URL after the latest hardening commit:
- [x] `curl -I https://<preview>/llms/auth.txt` — expect `308 Permanent
Redirect` to `/auth.md`
- [x] `curl https://<preview>/auth.md | head -3` — expect `# Supabase
Auth`
- [x] `curl https://<preview>/pricing.md | head -3` — expect `# Supabase
Pricing` with current tier values
- [x] `curl https://<preview>/modules/cron.md | head -3` — expect `#
Supabase Cron`
- [x] `curl -H 'Accept: text/markdown' https://<preview>/ | head -3` —
expect `# Supabase` (homepage.md)
- [x] `curl https://<preview>/llms.txt` — Product Overview section lists
`.md` URLs and includes Cron + Queues
- [x] `curl https://<preview>/llms-full.txt | grep -E '^# Supabase
(Cron\|Queues\|Pricing)'` — Cron and Pricing each match once; Queues
matches twice (marketing module + existing docs guide)
- [x] View source on `/`, `/pricing`, `/database` — expect `<link
rel="alternate" type="text/markdown" href="/<slug>.md">`
- [x] View source on `/docs` — expect `<link rel="alternate"
type="text/markdown" href="/llms-full.txt">`
- [x] View source on a docs guide page (e.g., `/docs/guides/auth`) —
expect per-guide `.md` alternate; reference/troubleshooting pages should
NOT emit a markdown alternate
- [x] `curl -I https://<preview>/auth.md` — expect
`X-Content-Type-Options: nosniff`
- [x] `curl -I -L -H 'Accept: text/markdown' https://<preview>/auth/` —
should resolve to markdown content (trailing-slash normalization, with
Vercel's auto-redirect)
## Linear
- fixes GROWTH-760
## Follow-up (separate PR)
GROWTH-760 also asks about extending `.md` to blog/customers/events.
Different mechanism (path-prefix middleware, MDX read at request time
via `gray-matter`) so it deserves its own review. Will open a follow-up
PR after this lands.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Serve prebuilt and dynamic Markdown docs via new markdown endpoints
and routing; pages now advertise markdown alternates (including
pricing).
* Added Cron and Queues module documentation pages.
* **Documentation**
* Minor formatting tweaks to Realtime and Storage docs.
* **Chores**
* Added build-time Markdown content generation and adjusted
ignore/deploy rules for generated files.
* Added redirects from legacy text-based product URLs to new markdown
pages.
* **Tests**
* Expanded tests for markdown routing and content-negotiation behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What kind of change does this PR introduce?
UI and copywriting improvements for temporary access.
## What is the current behavior?
The temporary access UI still used older JIT/ephemeral naming in some
places, did not clearly explain the setup requirements, and had to infer
unavailable states from Platform error message text.
## What is the new behavior?
The settings UI now uses temporary access naming consistently, explains
that temporary access uses short-lived tokens for manual database
connections, and renders clearer unavailable states for projects that
require either a Postgres upgrade or a platform migration.
The Studio query now consumes Platform’s structured `unavailableReason`
contract instead of parsing human-readable error strings, so the UI owns
the copy while Platform owns the eligibility reason.
Validation:
- `pnpm eslint
components/interfaces/Settings/Database/JitDatabaseAccess/JitDbAccessConfiguration.tsx
data/jit-db-access/jit-db-access-query.ts`
- `pnpm tsc --noEmit --pretty false`
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* IP range input now supports one CIDR range per row with add/remove
rows and form integration.
* **Documentation**
* Replaced “JIT” wording with “Temporary” / “Ephemeral token-based”
access across UI, dialogs, toasts, and help links.
* Added minimum PostgreSQL version requirement (17.6.1.081+).
* **Improvements**
* Per-row CIDR validation with precise nested error messages.
* Refined layout spacing and moved the temporary-access configuration
earlier in Database settings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Etienne Stalmans <etienne@supabase.io>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.
YES
## What kind of change does this PR introduce?
push client directive to leaf interactive components, keep content in
server shell
## What is the current behavior?
/pricing and blog pages are rendered it client side so crawlers don't
get any content on fetch.
Verifiy content with
```bash curl -s http://localhost:3000/pricing | sed 's/<script[^>]*>.*<\/script>//g; s/<style[^>]*>.*<\/style>//g; s/<[^>]*>//g' | wc -w
curl -s http://localhost:3000/blog | sed 's/<script[^>]*>.*<\/script>//g; s/<style[^>]*>.*<\/style>//g; s/<[^>]*>//g' | wc -w
curl -s http://localhost:3000/blog/<some-slug> | sed 's/<script[^>]*>.*<\/script>//g; s/<style[^>]*>.*<\/style>//g; s/<[^>]*>//g' | wc -w
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Featured blog post now displays prominently on the blog landing page
* Added smooth anchor link navigation on the pricing page
* Improved table of contents tracking with scroll-to-anchor behavior on
blog posts
* Enhanced pricing comparison and plans sections with better data
integration
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Just replace PH flag with ConfigCat flag for edge functions index error
rates
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Switched how the feature flag for edge functions request metrics is
read, affecting whether last-hour metrics columns are displayed.
* **Bug Fix**
* Fixed table layout so the "No results found" row correctly spans the
appropriate number of columns depending on whether last-hour stats are
shown, preventing misaligned table rows and improving display
consistency.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Joshen Lim <joshenlimek@gmail.com>
Currently when a user clicks the **Install integration** button on an
OAuth integration like Grafana, they are redirected to the partner
website in the same tab in which they clicked the button. This makes
them lose context in the Supabase Studio. This PR changes the behaviour
such that the partner website will be opened in a new tab.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* OAuth integration installation now opens the redirect URL in a new
browser tab instead of redirecting the current window, allowing users to
remain in the application while completing the integration process.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Context
Resolves FE-3077
Related discussion: https://github.com/orgs/supabase/discussions/45233
Verifying the correctness of your RLS policies set up has always been a
gap, as highlighted by a number of GitHub discussions like
[here](https://github.com/orgs/supabase/discussions/12269) and
[here](https://github.com/orgs/supabase/discussions/14401). As such,
we're piloting a dedicated UI for RLS testing (using role impersonation
as the base), in which you'll be able to
- Run a SQL query as a user (not logged in / logged in - this is the
role impersonation part)
- See which RLS policies are being evaluated as part of the query
- And hopefully be able to debug which policies are not set up correctly
Changes are currently set as a feature preview - and we'll iterate as we
get feedback from everyone 🙂🙏
<img width="613" height="957" alt="image"
src="https://github.com/user-attachments/assets/83c37f8a-28fc-43b3-b0ff-e28571d8710c"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* RLS Tester: run queries as anon or authenticated users, view inferred
SQL, per-table policy summaries, and data previews of accessible rows.
* UI preview: new RLS Tester preview card and modal with opt-in toggle;
RLS Tester sheet with role/user selector and query editor.
* SQLEditor: “Explain” tab is always visible.
* **Chores**
* Added supporting API endpoints, background checks for table RLS
status, and a local-storage flag to persist the preview opt-in.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What kind of change does this PR introduce?
Bug fix.
## What is the current behavior?
PR #44965 introduced an unused `cardExpiryLabel` constant in
`CreditCard.tsx`, which causes `studio#typecheck` to fail with `TS6133`
after the branch is merged into `master`.
## What is the new behavior?
Removes the unused constant so Studio typecheck passes again without
changing payment method behaviour.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Removed unused code to improve code quality and maintainability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## What kind of change does this PR introduce?
UI changes for Stripe-managed billing surfaces.
- Resolves DEPR-537
- Related to DEPR-538
## What is the current behaviour?
Stripe-connected organisations still look too self-serve in Studio.
- Payment Methods still reads mostly like ordinary Supabase card
management, even though billing is handled through a Shared Payment
Token via Stripe Projects
- invoice messaging still implies support is the path to changing
payment methods, even for Stripe-managed orgs
- the Subscription Plan flow still needs Stripe-specific guardrails so
users are redirected to the correct upgrade path rather than trying to
self-serve everything in Studio
- the base branch now correctly separates `integration_source` from
`billing_partner`, but this stacked work still needs to carry that split
through the Stripe billing-token surfaces
## What is the new behaviour?
This PR makes the Stripe-managed billing surfaces behave like
Stripe-managed billing surfaces, while leaving AWS and Vercel on the
existing `billing_partner` path.
- Payment Methods now keeps the familiar saved-card row, but augments
Stripe-managed rows with Shared Payment Token context, token status, and
Stripe Projects affordances
- Stripe-managed invoice messaging now points users to Stripe Projects
rather than to support for payment-method changes
- the Subscription Plan flow keeps the existing managed-billing shape,
with Stripe-specific guardrails layered in where plan changes should be
handled outside Studio
- AWS and Vercel continue to use the existing partner-managed alerts and
CTAs driven by `billing_partner` / `billing_via_partner`
| Subscription plan sheet |
| --- |
| <img width="1780" height="448" alt="CleanShot 2026-04-24 at 17 21
43@2x"
src="https://github.com/user-attachments/assets/34c0f3ba-fc42-4d07-97a2-0e4f4cefc55e"
/> |
| _Upgrade instructions_ |
| <img width="1786" height="460" alt="CleanShot 2026-04-24 at 17 20
12@2x"
src="https://github.com/user-attachments/assets/bb67c835-b9b2-4648-b0e1-9c2f8d2317d3"
/> |
| _Downgrade instructions_ |
> [!NOTE]
> The below screenshots are outdated. The _Shared Payment Token_
terminology has been removed in favour of more generic copy such as
_Stripe Projects token_.
| Stripe payment method states |
| --- |
| <img width="1436" height="234" alt="CleanShot 2026-04-23 at 19 03
49@2x"
src="https://github.com/user-attachments/assets/52ed7a00-dfba-4b66-9a07-a6346692d3c8"
/> |
| _Healthy_ |
| <img width="1434" height="224" alt="CleanShot 2026-04-23 at 19 04
50@2x"
src="https://github.com/user-attachments/assets/94efd943-b7bf-4da2-9e1b-1828aae97126"
/> |
| _Card expiring soon_ |
| <img width="1436" height="236" alt="CleanShot 2026-04-23 at 19 06
51@2x"
src="https://github.com/user-attachments/assets/272cb707-c724-4629-890e-853972e53a18"
/> |
| _Card expired_ |
| <img width="1308" height="238" alt="CleanShot 2026-04-23 at 19 07
21@2x"
src="https://github.com/user-attachments/assets/3eadd2a9-def3-4f43-850e-7d82adfb0b57"
/> |
| _Token expired_ |
## Dependencies
This PR is stacked on:
- #44328
It also depends on the private platform work that exposes Stripe project
connection state and SPT details:
- https://github.com/supabase/platform/pull/31874
- https://github.com/supabase/platform/pull/31940
## Platform dependency status
Most of the remaining platform work for this stack is now covered by the
private dependency below:
- https://github.com/supabase/platform/pull/31940
That PR is expected to provide the SPT details and paid-flow fixes this
Studio work depends on. In practice, the main caveat here is less
“Studio still needs a bunch of new platform work” and more “do not merge
this until `platform#31940` has landed and the end-to-end Stripe-managed
flow has been rechecked”.
## Local testing
Use the same local Stripe setup as the base branch, with
`integration_source: 'stripe_projects'` returned consistently for:
- `/platform/organizations`
- `/platform/organizations/:slug/projects`
- `/platform/projects/:ref`
For payment method demos, the temporary local mock currently lives in
private `platform` on:
- `/platform/organizations/:slug/payments`
That mock can be flipped between:
- healthy token + healthy underlying card
- healthy token + card expiring soon
- healthy token + expired card
- expired token
Then verify:
- the org and project connection affordances from #44328 still render
correctly
- Payment Methods shows Stripe-managed token context rather than
implying ordinary self-serve card management
- regression test ordinary non-Stripe payment methods too, to confirm
the standard saved-card row still renders with the existing `Expires:`
copy and no Shared Payment Token affordances
- invoice messaging points Stripe-managed orgs to Stripe Projects rather
than support
- Subscription Plan keeps the managed-billing guardrails for Stripe
- AWS and Vercel orgs still show the existing partner-managed messaging
rather than the Stripe-specific notices
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Stripe-managed organizations show Stripe Projects billing guidance,
replace in-app payment management with Stripe links, and adjust billing
copy.
* Payment methods support Shared Payment Tokens (SPTs): token
expiry/status badges with tooltips, “Handled via Stripe Projects”
indicator, token last4/expiry display, and disabled local update/delete
actions for SPTs.
* **API**
* Payments response now includes optional shared payment token details
for payment methods.
* **Documentation**
* Added links to Stripe Projects billing docs in relevant flows.
* **Tests**
* Updated and added tests covering Stripe-managed and SPT behaviors.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Raúl Barroso <code@raulb.dev>
Removes the temporary killswitch added when Braintrust was onboarded as
a subprocessor, to satisfy the 30-day DPA notice obligation. The window
has elapsed and legal has cleared removal.
Drops the `orgIsDpaSigned` check from `isTracingAllowed`, removes the
extra `/platform/organizations/{slug}/documents/dpa-signed` network hop
from `getOrgAIDetails`, and cleans up all call sites and tests.
Closes AI-596
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Simplified AI tracing eligibility logic by removing DPA signing status
checks. Tracing authorization decisions now depend solely on region,
HIPAA addon status, and project sensitivity settings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Show the plan name row in the monthly invoice estimate tooltip even
when the organization has no projects, so the section no longer appears
headerless next to the tax line.
## Test plan
- [ ] Open an org with no projects → Subscription plan update dialog →
hover the "Monthly invoice estimate" tooltip → verify the plan name +
price row is visible.
- [ ] Repeat on an org with projects → verify plan, Compute row, and
project breakdown all still render as before.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Improved rendering of the Monthly invoice estimate table in the
subscription plan update dialog, with reorganized display logic for plan
and project billing rows.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Show a `ShimmeringLoader` skeleton in the new-org form while the
creation preview is fetching for the first time, so users see feedback
after entering their billing address.
- Disable the **Create organization** button while the preview is
refetching, to prevent submitting on stale totals.
- Replace the inline charge summary with the
shared `ChargeBreakdown` component, extending it with an
optional `subtotalLabel` prop (defaults to `"Subtotal"`, `"Plan
price"` here) to preserve the existing copy.
## Test plan
- [ ] Navigate to `/new` → pick Pro/Team → enter a billing address →
confirm shimmer shows until the first preview resolves.
- [ ] Change address/tax ID → confirm existing totals fade to 50% while
refetching and the submit button is disabled during the fetch.
- [ ] Confirm the breakdown still renders "Plan price", "Tax (x%)", and
"Total due today" correctly
- [ ] FREE plan path unaffected — no preview request, submit button
behaves as before.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Improvements**
* Organization creation form now displays loading placeholders while
billing preview data is being fetched, providing clearer visual feedback
during the calculation process
* Submit button is now properly disabled during billing information
retrieval
* Billing breakdown display has been refined for improved consistency
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary
- Adds an Enable/Disable dropdown action in each row of the custom OAuth
providers list.
- Disabling opens a confirmation modal that calls the existing update
API with `enabled: false`; enabling is immediate (restorative, no
confirmation).
- Removes the hardcoded `enabled: true` from the edit sheet's update
payload so editing a disabled provider no longer silently re-enables it.
Closes
[FE-3067](https://linear.app/supabase/issue/FE-3067/add-disable-button-for-custom-oauth-providers).
## Test plan
- [x] Create a custom OAuth provider — it is enabled by default.
- [x] Click the row menu → "Disable". Confirm in the modal. Row shows
`Disabled` badge.
- [x] Click the row menu → "Enable". Row immediately flips back to
`Enabled`.
- [x] Edit a disabled provider via the "Update" action, save. Verify it
remains `Disabled` (no silent re-enable).
- [x] Delete action still works.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Added enable/disable toggle controls for individual custom OAuth
providers in the provider list
* Added confirmation dialog when disabling a provider to prevent
accidental changes
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Adds a top-level `logs:all` flag (default `true`) so self-hosted and
local setups can hide the logs pages in Studio when Logflare isn't
configured — no separate Studio build required. The flag itself works
everywhere; the additional `ENABLED_FEATURES_LOGS_ALL` env-var override
(from FE-3036) is the self-hosted escape hatch so deployers can flip it
without a custom build — that part is a no-op on `IS_PLATFORM` because
hosted feature gating flows through `profile.disabled_features` instead.
Addresses
[COM-205](https://linear.app/supabase/issue/COM-205/add-feature-flag-to-disable-all-logs-in-studio).
**Added:**
- `logs:all` feature flag in `enabled-features.json` + schema
**Changed:**
- Sidebar "Logs" nav entry is hidden when `logs:all` is off (same
pattern as `reports:all` / `billing:all`)
- Cmd-K "Logs Explorer" / "Auth Logs" / etc. routes are hidden when the
flag is off
- `LogsLayout` renders `<UnknownInterface />` (soft-404) when the flag
is off — covers all ~18 logs pages in one spot
- `/logs/index.tsx` applies the same soft-404 for the unified-logs entry
point
## To test
Needs to be tested locally (preview doesn't let you flip the flag —
hosted gating is profile-driven, not env-driven). Two ways:
- Temporarily edit `"logs:all": false` in
`packages/common/enabled-features/enabled-features.json` and run `pnpm
dev:studio`, or
- Run Studio locally with `ENABLED_FEATURES_LOGS_ALL=false` (env-var
path, same as how self-hosted deployers would use it)
With the flag **off**:
- Sidebar "Logs" entry is hidden
- Cmd-K search for "Logs" / "Auth Logs" / "Postgres Logs" etc. returns
nothing
- Direct navigation to `/project/<ref>/logs`,
`/project/<ref>/logs/explorer`, `/project/<ref>/logs/auth-logs`,
`/project/<ref>/logs/postgres-logs` (etc.) all render the "Looking for
something?" soft-404 with a Head back button
With the flag **on** (default): everything works as it does today.
**Check on the preview deploy too** — nothing should change, no
behaviour difference on hosted.
Co-authored-by: Alaister Young <10985857+alaister@users.noreply.github.com>
Luiz Felipe Machado